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METHOD AND SYSTEM FOR 
PROVIDING SECURE USER ACCESS TO PUBLIC OR 
PRIVATE TELEPHONE AND INTERNET SYSTEMS 

5 BACKGROUND OF THE INVENTION 
Related Applications 

The present application is a continuation in part of copending U.S. patent 
application Serial No. 09/181,431, METHOD, APPARATUS AND 
COMMUNICATIONS SYSTEM FOR COMPANION INFORMATION AND 

1 0 NETWORK APPLIANCES, Wang, Peter Si-Sheng, Dalgic, Ismail, filed 1 0/30/98, 
and incorporated herein by reference for all purposes. The following copending 
U.S. patent application Serial No. 08/866,819, METHOD AND APPARATUS 
FOR PROVIDING SECURITY IN A STAR OR HUB NETWORK CONNECTION, 
Jain, Nesset, Sherer, filed 5/30/97, and U.S. patent application Serial No. 

15 08/955,869, METHOD AND APPARATUS FOR PROVIDING SECURITY IN A 
STAR NETWORK CONNECTION USING PUBLIC KEY CRYPTOGRAPHY, 
Jain, Nessett, Sherer, filed 10/28/97 are incorporated herein by reference. 
FIELD OF THE INVENTION 

The present invention relates to improvements in networked computer 

20 environments and has particular applications to the transmission of information 
between digital devices over a communications medium. More specifically, the 
present invention relates to the combination of a portable computer with a 
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communications device to form a compound network apparatus used to provide 
secure and authenticated access to public or private telephone and internet 
systems. 
RELATED ART 

5 Recent advances in the manufacture and design of integrated circuits 

have enabled technology producers to provide portable instruments including 
oalm-sized computers [or personal digital assistants (PDAs)], such as the Palm 
VII from Palm Computing, Inc., Santa Clara, CA. Accessories are available 
that allow a portable computer to become part of a telecommunications device. 

10 One such accessory is described in U.S. Patent No. 5,606,594, granted to 
Register et al. on February 25, 1997, entitled "Communication Accessory and 
Method of Telecommunicating for a PDA". Similarly, U.S. Patent No. 5,497,339, 
granted to Bernard et al. on March 5, 1996 provides for PDA that mounts within 
a communications device. A prior system describes an information appliance 

1 5 (PDA) and a network appliance (or telephone) that function independently as 
well as with each other as companion appliances. 

In prior art, a communications appliance (digital telephone or ethernet 
telephone) is connected directly to the Local Area Network (LAN), and the 
information appliance (computer or PDA) is connected directly to the 

20 communications appliance. That is, the communications appliance is always 
connected between the LAN and the information appliance (they are connected 
in series). Both system security means as well as types and methods of data 
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transmission are limited by the capabilities of the communications appliance 
(telephone). This topology limits the application to systems requiring ethernet 
telephones or other specially adapted telephones. Thus prior art excludes 
applications which could possibly incorporate an existing public switched 
5 telephone network (PSTN). 

Prior attempts to solve PDA-based number portability and mobility 
problems, as well as problems of authentication, accounting and billing support 
for LAN telephones has been based on the use of calling cards, some of which 
require the user to recall a Personal Identification Number (PIN). 
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SUMMARY OF THE INVENTION 

Accordingly, what is needed is a more generally applicable system that 
can be used in business or industry without the requirement of special 
5 telephones. In the present invention, both the information appliance (computer 
or PDA) and the communications appliance (an ethernet telephone) are 
connected directly to the LAN. A non-ethernet telephone can be connected 
directly to the LAN by connecting a Voice Over IP Gateway between the 
telephone and the LAN. This topology obviates the need for specialized 

10 telephones and in addition allows the application of any of the various security 
schemes disclosed in the above cited U.S. patent applications, Serial No. 
08/866,819, and Serial No. 08/866,819. Furthermore, the types and means of 
data transmission are limited by the information appliance (a computer or PDA) 
rather than by the telephone. 

1 5 What is needed yet is a method and system that is economically feasible 

for use in either private or commercial LAN or internet systems, whether 
connected by coaxial cable, by twisted pair wire commonly known as CATS, by 
fiber optic cable, by wireless means or by some combination thereof. 

What is described is a public telephone and Internet access system that 

20 comprises Personal Digital Assistants (PDA) that are connected to an ethernet 
Local Area Network (LAN) by a network cradle, and a number of ethernet 
telephones connected to the same LAN. Even though we describe the process 
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in terms of ethernet LANs, the mechanisms apply to other 802 LANs as well, the 
PDAs store encrypted information about their owners, including the owner's 
name, their phone forwarding preferences, access permissions to the network, 
and charging/billing information. When a PDA is attached to a network cradle, 
5 this information is automatically transferred to the gate keeper, which is a server 
that performs management tasks for the ethernet phone network. These tasks 
include deciding whether or not a user is allowed to sign up and use a public 
ethernet phone, maintaining billing and charging information, and forwarding 
incoming calls for a given user to the ethernet phone at the user's current 
10 location. 

The present invention provides these advantages and others not 
specifically mentioned above but described in the sections to follow. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a generalized topology for a typical LAN. 

Figure 2 is a generalized topology to illustrate one possible embodiment 
of this invention and is included for clarity of discussion. It will be apparent to 
those of skill in the art that this invention has applications with many different 
topologies and therefore should not be seen as limited by this topology. 

Figure 3 is a state diagram illustrating steps of the authentication process 
in accordannce with an embodiment of the present invention. 
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DETAILED DESCRI PTION OF THE INVENTION 

in the following detailed description of the present invention, a method 
and system to provide secure user access to public or private telephone systems 
5 and the internet, numerous specific details are set forth in order to provide a 
thorough understanding of the present invention. However, it will be obvious to 
one skilled in the art that the present invention may be practiced without these 
specific details. In other instances well known methods, procedures, 
components, and circuits have not been described in detail so as not to 

1 0 unnecessarily obscure aspects of the present invention. 
Networking Devices and Standards 

This specification assumes familiarity with the general concepts, protocols 
and devices currently used in Local Area Networks (LANs) and Wide Area 
Networks (WANs) such as the IEEE 802.x and ISO 8802 protocol suites and 

1 5 other series of documents released by the Internet Engineering Task Force that 
are publicly available. For discussion purposes, a generalized topology for a 
typical LAN (40) is given in Fig.1. LAN topology refers to the manner in which 
the hardware elements comprising the network are interconnected. Common 
topologies for LANs are bus, tree, ring and star. LANs may also have a hybrid 

20 topology made up of a combination of these. Overall, the LAN in Fig.1 has a 

tree topology, but also incorporated is 72d having a bus topology and 70d having 
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a star topology. The present invention may be used with any of the above 
mentioned topologies including a ring topology. 

The LAN in Fig.1 represents an arrangement of various hardware and 
software elements that operate together to allow a number of digital devices to 
5 exchange data within the LAN, and also may include internet connections to 
external WANs such as WAN 82 and 84. Connection to a Public Switched 
Telephone Network (PSTN) can be provided by a Voice over IP Gateway that 
might be included in WAN2. The typical LAN is comprised of one or more LAN 
Intermediate Systems (ISs) such as ISs 60-62 and 67 that are responsible for 

10 data transmission throughout the LAN and a number of End Systems (ESs) such 
as ESs 50a-f, 51a-c, and 52a-g, that represent end user equipment. The ESs 
may be familiar end-user data processing equipment , such as personal 
computers, Personal Digital Assistants (PDAs), workstations, printers and 
additionally other digital devices such as digital telephones or real-time video 

15 displays. Different types of ESs can operate together on the same LAN. In the 
LAN topology of Fig.1, ISs 60 and 61 are referred to as bridges, WAN ISs 64 and 
66 are referred to as routers, and IS 67 is referred to as a repeater. The LAN 
network topology in Fig.1 is of a general nature for discussion purposes, and this 
invention is not limited in application to this topology. 

20 A segment is generally a single interconnected medium such as a coaxial 

cable, a contiguous wire(s), optical fiber or a particular frequency band. The 
LAN in Fig.1 has segments 70a-g, 71a-e, 72a-e and 73a. A segment may 
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connect just two devices, such as segment 70a (also referred to as a point-to- 
point or star connection). A segment such as 72d may connect a number of 
devices using a Carrier Sense Multiple Access/ Collision Detection (CSMA/CD) 
protocol or other multiple access protocol such as a token bus or token ring. 
5 Signals transmitted on a single segment such as 72d are simultaneously heard 
by all of the ESs and ISs connected to that segment 

A LAN may also contain a number of repeaters, such as repeater 67. A 
repeater generally physically repeats out of each of its ports all data received on 
any one port, such that the network behavior perceived by ESs 50a-c and the 

1 0 port of IS 60 connected to 67 is identical to the behavior these ports would 

perceive if they were all connected on the same segment such as 52d-g and the 
corresponding port of 62. Repeaters configured in a star topology such as 67 
are also referred to as hub repeaters. The terms hub or star are used in 
networking to indicate either a switch/bridge layer 2 device, or a repeater layer 1 

15 device. In the Fig.1 LAN, bridges 61, 62, and 63 have a star or hub configuration 
as does repeater 67. 

Drivers and Adapters 

Each of the ISs and ESs in Fig.1 includes one or more adapters and 
hardware or software instructions sometimes referred to as drivers. An adapter 
20 generally includes circuitry and connectors for communication over a segment 
and translates data from the digital form used by the computer circuitry in the IS 
or ES into a form such as electrical or optical signals, or radio waves that may be 
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transmitted over the segment An ES such as 50b will generally have one 
adapter for connecting to its single segment. A LAN IS such as 61 will have five 
adapters, one for each segment to which it is connected. A driver is a set of 
instructions resident on a device that allows the device to accomplish various 
5 tasks as defined by different network protocols. Drivers are generally software 
programs stored on the ISs or ESs in a manner that allows the drivers to be 
modified without modifying the IS or ES hardware. 
Network ISs: Routers, Bridges. Repeaters 

The LAN in Fig.1 includes bridges 60-63. A bridge is understood in the art 
10 to be a type of computer optimized for very fast data communication between 
two or more segments. A bridge according to the prior art generally makes no 
changes to the data packets it receives on one segment before transmitting them 
on another segment. 

A LAN may also contain a number of repeaters, which is one possible 
15 configuration for device 67. A repeater generally repeats out of each of its ports 
ail data received on any one port, such that the network behavior perceived by 
ESs such as 50a-c is generally identical to the behavior they would perceive if 
they were connected on the same segment such as 52d-g. 

It is intended that this invention be applicable in such instances as private 
20 businesses, educational institutions, government organizations as well as in 
configurations available to the general public. One possible embodiment of this 
invention is illustrated by the topology in Fig.2. The LAN network (100) is a 
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generalized representation as discussed previously within which are various 
hardware and software elements that operate together to allow a number of 
digital devices to exchange data within the LAN, and also to exchange data with 
external devices such as ESs, routers or WANs. Numerous different topologies 
5 within the LAN are appropriate for this invention and thus the segments between 
hardware elements within the LAN are omitted. One embodiment utilizes 
telephones connected to an Ethernet LAN. Other embodiments are realized by 
means of other 802 LANs. 

A method and system are disclosed that will allow access to a LAN for the 

10 purpose of local communication within the LAN, for local or long distance 
telephone communication by connection to a Public Switched Telephone 
Network (PSTN), or for communication by connection to the internet System 
security is incorporated since user access to the LAN is granted only after a 
requesting user and any connected equipment are identified and authenticated. 

15 Once any request is authenticated and user access is allowed to the LAN, any 
disruption to the connection between that equipment and the LAN will be 
recognized by the LAN, and such equipment will immediately be denied access 
to the LAN. Furthermore, the present invention provides additional system 
security by incorporating a method to detect and immediately disconnect from 

20 previously authenticated equipment that exhibits any operational variation(s) 

unfamiliar to the LAN. An embodiment of this invention consists of a LAN, with a 
dedicated server called a Gatekeeper (110), a Router (120) to connect the LAN 
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to the Internet, a gateway (130) used to connect the LAN to a Public Switched 
Telephone Network (PSTN) (131), and one or more telephone booths (PBs) 
(140, 150) each of which contains a telephone and a PDA cradle. The PDA 
cradle is the device used to connect the PDA to the LAN. Each PB connects to 
5 the LAN by means of a hub/switch (Bridge/Switch) (IS). PBs 140, 150, 160 and 
170 are connected directly to IS-1(141) f IS-2(151), IS-3(161) and iS-4(171) 
respectively. 

Phone booths 140 and 150 each contain an Ethernet phone, which is 

identical to a reaular tetaohone in appearance and basic functionality, but has a 

v 

1C connector for ethernet as opposed to an analog or digital phone line. Both 
ethernet phones are connected directly to the LAN. Phone booth 140 also 
contains a PDA cradle that has an ethernet interface, but phone booth 150 
contains a serial cradle to accommodate a PDA having a serial interface such as 
RS-232. The cradle in phone booth 140 is connected directly to the LAN, while 

1 5 the cradle in phone booth 1 50 connects directly to the LAN by means of the 
serial-to-network converter. It is also possible to use other non-ethemet 
interfaces such as parallel or Universal Serial Bus (USB), or infrared. 

Phone booth 160 contains a non-ethemet telephone which is connected 
to Bridge/Switch IS-3 by means of a Voice Over IP Gateway, while the ethernet 

20 cradle is connected directly to Bridge/Switch IS-3. Phone booth 170 also 

contains a non-ethemet telephone which is connected to Bridge/Switch IS-4 by 
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means of a Voice Over IP Gateway, and the serial cradle is connected to 
Bridge/Switch 1S-4 by means of a Serial-to-Network Converter. 

If the user in the phone booth does not have a PDA with the appropriate 
software, the system allows only toll-free calls, including calling card access 
5 numbers and emergency 91 1 calls. In order to make full use of the system, the 
user must have a PDA that fits in the cradle, and that has the phone 
management software. When the user drops his/her PDA in the network cradle 
and activates the phone management software, the network cradle receives the 
user's authentication and billing information from the PDA software and sends a 

1 0 message to the hub/switch to which it is connected. The hub/switch then 

communicates with the gatekeeper (110) to check the user's credentials, and if 
they are satisfactory, allows network connectivity for the network cradle and 
permits the phone to make toll calls. If the booth includes a serial cradle, then 
the serial cradle and serial-to-network converter performs the same function as 

15 the network cradle to exchange authentication information with the hub/switch. 

Figure 3 provides a state diagram illustrating the authentication process in 
accordance with an embodiment of the present invention. Authentication is 
initiated by the hub/switch when it detects a connection on a port (detection of a 
linkbeat or observance of a message)(step 200). Alternatively, the network 

20 cradle, serial-to-network converter, or serial cradle indicates to the hub/switch to 
initiate authentication when a device is plugged in. This indication can be a 
physical signal (turning the linkbeat off momentarily) or a message to this effect. 
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The hub/switch uses a backend AAA infrastructure through the gatekeeper to 
authenticate the connecting user as described in previously cited patent 
applications Serial No. 08/866,819, and Serial No. 08/866,819. More 
specifically, the hub/switch will request certain user data such as user 

5 identification (ID) and password (PW) (step 201) from the PDA. At this point 
(step 202), the PDA provides information to the hub/switch. 

The information supplied by the PDA is then forwarded by the hub/switch 
to the gatekeeper for user identification and authentication (step 203). If the user 
is authenticated successfully (step 204) and the user has a dedicated link to the 

10 hub/switch port (via a network cradle for example) (step 200), the hub/switch port 
is opened (step 205) and a success message is sent to the network cradle (step 
206). The network cradle now allows the user to make phone calls. If the switch 
port is shared (via a serial-to-network converter supporting multiple serial ports 
for example), a message is sent by the hub/switch to the cradle/converter to 

15 open up the corresponding serial port. If the user authentication fails (204), the 
hub/switch port is blocked (dedicated port) (205) or a failure message is sent to 
the cradle/converter (206) to block the corresponding serial port. A failure 
message is displayed to the user on the PDA (206). 

The above process can be extended to shared switch ports via network 

20 cradles as well (multiple network cradles connected to a switch port via a 
repeater). In this case, the authenticator (hub/switch) indicates to the 
authenticating network cradle to open/block the network port based on the 
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results of authentication. The authenticator can also install filters to 
allow/disallow traffic from the corresponding MAC addresses. 

Advantages of the present invention include portability of numbers. An 
authenticated user can simply drop the PDA into a cradle and begin making toll 
5 phone calls at the push of a button. A phone number stored in the PDA address 
book can be dialed automatically by the PDA. The graphical user interface on 
the PDA can display information such as callee's phone number and name, 
duration and cost of an ongoing call and a history of calls made. The phone 
booth can be extended into a virtual office since the PDA can communicate the 

10 user's phone number to the gatekeeper, and set up automatic call forwarding 
such that the calls made to the user's office number are forwarded to the 
ethernet phone at the phone booth. 

Furthermore, the PDA can be used to access the internet, allowing 
applications such as World Wide Web and e-mail to be executed on the PDA. A 

15 user can be given the option to carry a voice conversation over the public 
internet, thereby reducing the toll costs. Moreover, in this case, the long 
distance charges can be directly paid to the organization providing the toll 
booths, which may include places such as airport, restaurant or hotel 
installations. Such organizations are thereby offered an economic benefit. 

20 The preferred embodiment of the present invention, a method and system 

to provide secure user access to public or private telephone systems and the 
internet, is thus described. While the present invention has been described in 
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particular embodiments, it should be appreciated that the present invention 
should not be construed as limited by such embodiments, but rather construed 
according to the below claims. 
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CLAIMS 

What is Claimed is: 

1 . A data system comprising: 

a local area network (LAN) comprising a hub/switch and coupled to a 
5 server, said LAN for coupling with a Public Switched Telephone Network for 
communication therewith; 

an ethernet phone coupled to communicate with said LAN; 

a cradle for receiving a portable computer system and also coupled to 
communicate with said LAN without going through said phone; 
10 wherein said hub/switch is for detecting a connection to a portable 

computer system and for performing authentication in response thereto; 

wherein said cradle for receiving user authentication data from said 
portable computer system and transmitting said user authentication data to said 
server; and 

15 wherein said server is for opening a port on said hub/switch allowing said 

ethernet phone to communicate voice data over said LAN and also allowing said 
cradle access to said LAN provided said authentication is successful and 
otherwise for causing said hub/switch to block said ethernet phone and said 
cradle from accessing said LAN. 

20 

2. A data system as described in Claim 1 further comprising a serial to 
LAN converter and wherein said cradle is coupled to a serial port of said serial to 



3COM-2399.CTO 



CONFIDENTIAL 



18 

LAN converter and wherein said serial to LAN converter is coupled to said 
hub/switch of said LAN. 

3. A data system as described in Claim 1 further comprising a Voice 
5 Over IP Gateway and a non-ehthernet telephone and wherein said non-ethemet 

telephone is coupled to said Voice Over IP Gateway and wherein said Voice 
Over IP Gateway is coupled to said hub/switch of said LAN. 

4. A data system as described in Claim 1 wherein said server utilizes 
10 backend AAA infrastructure to perform said authentication. 

5. A data system as described in Claim 1 wherein said connection is 
detected by a linkbeat signal. 

6. A data system as described in Claim 1 wherein said user 

1 5 authentication data comprises a user identity and user billing information. 

7. A data system as described in Claim 1 wherein said user 
authentication data is encrypted. 

20 8. A data system as described in Claim 1 wherein said portable 

computer system is a personal digital assistant (PDA). 
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9. A data system as described in Claim 1 wherein said portable 
computer system comprises a display screen for displaying status information 
regarding said authentication. 



5 10. A data system as described in Claim 1 wherein said ethernet 

phone and said cradle are located in proximity to each other within a phone 
booth. 

11 A method of performing authentication within a data system 
10 comprising the steps of: 

a) placing a portable computer system into a cradle, said cradle 
associated with an Ethernet phone; 

b) detecting a connection to said portable computer system in response to 
said step a), said step b) performed by a hub/switch of a local area network 

15 (LAN) that is connected to a Public Switched Telephone Network; 

c) in response to said step b), a server of said LAN causing said cradle to 
access user authentication data of said portable computer system and to 
transmit said user authentication data to said server; 

d) performing user authentication based on said user authentication data; 
20 e) provided said user authentication is successful, said server opening a 

port on said hub/switch for allowing said Ethernet phone to communicate voice 
data over said LAN and also allowing said cradle access to said LAN; and 



3COM-2399.CTO 



CONFIDENTIAL 



20 

f) provided said user authentication is not successful, said server blocking 
said Ethernet phone and said cradle from accessing said LAN. 

12. A method as described in Claim 1 1 further comprising the step of 
5 said cradle communicating with said LAN using a serial interface coupled to a 

serial to LAN converter that is coupled to said hub/switch of said LAN. 

13. A method as described in Claim 1 1 wherein said step d) comprises 
the step of using backend AAA infrastructure to perform said user authentication. 

10 

14. A method as described in Claim 1 1 wherein said step b) is 
performed using a linkbeat signal. 

15. A method as described in Claim 1 1 wherein said user 
authentication data comprises a user identity and user billing information. 

15 

16. A method as described in Claim 11 wherein said portable computer 
system is a personal digital assistant (PDA). 

17. A method as described in Claim 1 1 wherein said portable computer 
20 system comprises a display screen and further comprising the step of displaying 

status information regarding said user authentication. 



3COM-2399.CTO 



CONFIDENTIAL 



21 

18. A method as described in Claim 1 1 wherein said Ethernet phone 
and said cradle are located in proximity to each other within a phone booth. 



19. A system for network security comprising: 
5 a server for storing data that defines users and equipment authorized to 

access said network; 

a cradle for receiving a PDA; 

a phone associated with said cradle; 

a direct connection through the network and bypassing the phone 
1 0 between the server and the PDA; 

wherein said server is for comparing the stored data with authentication 
data from the PDA; 

wherein said server is also for granting user access to the system when 
comparison of said stored data with said PDA data provides user and equipment 
15 authentication; 

wherein said server is also for denying user access to the system when 
comparison of said stored data with said PDA data fails to provide user and 
equipment authentication; 
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ABSTRACT OF THE INVENTION 

A public telephone and Internet access system that comprises Personal 
Digital Assistants (PDA) that are connected to an ethernet or other Local Area 
Network by a network cradle, and a number of ethernet telephones connected to 
5 the same Local Area Network. The PDAs store encrypted information about 
their owners, including the owner's name, their phone forwarding preferences, 
access permissions to the network, and charging/billing information. When a 
PDA is attached to a network cradle, this information is automatically transferred 
to the gatekeeper, which is a server that performs management tasks for the 
10 ethernet phone network. These tasks include deciding whether or not a user is 
allowed to sign up and use a public ethernet phone, maintaining billing and 
charging information, and forwarding incoming calls for a given user to the 
ethernet phone at the user's current location. This invention provides a secure 
method for the PDA and the gatekeeper to exchange authentication information. 
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